package org.apache.cxf.ws.security.wss4j;

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.transform.dom.DOMSource;
import org.apache.commons.io.IOUtils;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.ws.security.CustomTokenPrincipal;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.processor.Processor;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.validate.NoOpValidator;
import org.apache.ws.security.validate.Validator;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-2.4.4.jar:org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.class */
public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
    public static final String TIMESTAMP_RESULT = "wss4j.timestamp.result";
    public static final String SIGNATURE_RESULT = "wss4j.signature.result";
    public static final String PRINCIPAL_RESULT = "wss4j.principal.result";
    public static final String PROCESSOR_MAP = "wss4j.processor.map";
    public static final String VALIDATOR_MAP = "wss4j.validator.map";
    public static final String SECURITY_PROCESSED;
    private static final Logger LOG;
    private static final Logger TIME_LOG;
    private boolean ignoreActions;
    private WSSecurityEngine secEngineOverride;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-2.4.4.jar:org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor$CXFRequestData.class */
    public static class CXFRequestData extends RequestData {
        @Override // org.apache.ws.security.handler.RequestData
        public Validator getValidator(QName qName) throws WSSecurityException {
            String str = null;
            if (WSSecurityEngine.SAML_TOKEN.equals(qName)) {
                str = SecurityConstants.SAML1_TOKEN_VALIDATOR;
            } else if (WSSecurityEngine.SAML2_TOKEN.equals(qName)) {
                str = SecurityConstants.SAML2_TOKEN_VALIDATOR;
            } else if (WSSecurityEngine.USERNAME_TOKEN.equals(qName)) {
                str = SecurityConstants.USERNAME_TOKEN_VALIDATOR;
            } else if (WSSecurityEngine.SIGNATURE.equals(qName)) {
                str = SecurityConstants.SIGNATURE_TOKEN_VALIDATOR;
            } else if (WSSecurityEngine.TIMESTAMP.equals(qName)) {
                str = SecurityConstants.TIMESTAMP_TOKEN_VALIDATOR;
            } else if (WSSecurityEngine.BINARY_TOKEN.equals(qName)) {
                str = SecurityConstants.BST_TOKEN_VALIDATOR;
            } else if (WSSecurityEngine.SECURITY_CONTEXT_TOKEN_05_02.equals(qName) || WSSecurityEngine.SECURITY_CONTEXT_TOKEN_05_12.equals(qName)) {
                str = SecurityConstants.SCT_TOKEN_VALIDATOR;
            }
            if (str != null) {
                Object contextualProperty = ((SoapMessage) getMsgContext()).getContextualProperty(str);
                try {
                    if (contextualProperty instanceof Validator) {
                        return (Validator) contextualProperty;
                    }
                    if (contextualProperty instanceof Class) {
                        return (Validator) ((Class) contextualProperty).newInstance();
                    }
                    if (contextualProperty instanceof String) {
                        return (Validator) ClassLoaderUtils.loadClass(contextualProperty.toString(), WSS4JInInterceptor.class).newInstance();
                    }
                } catch (RuntimeException e) {
                    throw e;
                } catch (Throwable th) {
                    throw new WSSecurityException(th.getMessage(), th);
                }
            }
            return super.getValidator(qName);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/cxf-rt-ws-security-2.4.4.jar:org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor$TokenStoreCallbackHandler.class */
    public class TokenStoreCallbackHandler implements CallbackHandler {
        private CallbackHandler internal;
        private TokenStore store;

        public TokenStoreCallbackHandler(CallbackHandler callbackHandler, TokenStore tokenStore) {
            this.internal = callbackHandler;
            this.store = tokenStore;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                WSPasswordCallback wSPasswordCallback = (WSPasswordCallback) callback;
                String identifier = wSPasswordCallback.getIdentifier();
                if (SecurityTokenReference.ENC_KEY_SHA1_URI.equals(wSPasswordCallback.getType()) || WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(wSPasswordCallback.getType())) {
                    for (SecurityToken securityToken : this.store.getValidTokens()) {
                        if (identifier.equals(securityToken.getSHA1())) {
                            wSPasswordCallback.setKey(securityToken.getSecret());
                            return;
                        }
                    }
                } else {
                    SecurityToken token = this.store.getToken(identifier);
                    if (token != null) {
                        wSPasswordCallback.setKey(token.getSecret());
                        wSPasswordCallback.setCustomToken(token.getToken());
                        return;
                    }
                }
            }
            if (this.internal != null) {
                this.internal.handle(callbackArr);
            }
        }
    }

    public WSS4JInInterceptor() {
        setPhase(Phase.PRE_PROTOCOL);
        getAfter().add(SAAJInInterceptor.class.getName());
    }

    public WSS4JInInterceptor(boolean z) {
        this();
        this.ignoreActions = z;
    }

    public WSS4JInInterceptor(Map<String, Object> map) {
        this();
        setProperties(map);
        Map cast = CastUtils.cast((Map<?, ?>) map.get(PROCESSOR_MAP));
        Map cast2 = CastUtils.cast((Map<?, ?>) map.get(VALIDATOR_MAP));
        if (cast != null) {
            if (cast2 != null) {
                cast.putAll(cast2);
            }
            this.secEngineOverride = createSecurityEngine(cast);
        } else if (cast2 != null) {
            this.secEngineOverride = createSecurityEngine(cast2);
        }
    }

    @Override // org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor, org.apache.cxf.phase.PhaseInterceptor
    public Collection<PhaseInterceptor<? extends Message>> getAdditionalInterceptors() {
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(SAAJInInterceptor.SAAJPreInInterceptor.INSTANCE);
        return arrayList;
    }

    public void setIgnoreActions(boolean z) {
        this.ignoreActions = z;
    }

    private SOAPMessage getSOAPMessage(SoapMessage soapMessage) {
        SAAJInInterceptor.INSTANCE.handleMessage(soapMessage);
        return (SOAPMessage) soapMessage.getContent(SOAPMessage.class);
    }

    @Override // org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor, org.apache.ws.security.handler.WSHandler
    public Object getProperty(Object obj, String str) {
        Object property = super.getProperty(obj, str);
        if (property == null && WSHandlerConstants.SEND_SIGV.equals(str) && isRequestor((SoapMessage) obj)) {
            property = ((SoapMessage) obj).getExchange().getOutMessage().get(str);
        }
        return property;
    }

    public final boolean isGET(SoapMessage soapMessage) {
        return "GET".equals((String) soapMessage.get(Message.HTTP_REQUEST_METHOD)) && soapMessage.getContent(XMLStreamReader.class) == null;
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(SoapMessage soapMessage) throws Fault {
        WSSecurityEngine securityEngine;
        if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage)) {
            return;
        }
        soapMessage.put(SECURITY_PROCESSED, (Object) Boolean.TRUE);
        boolean contextualBoolean = MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.VALIDATE_TOKEN, true);
        translateProperties(soapMessage);
        CXFRequestData cXFRequestData = new CXFRequestData();
        WSSConfig wSSConfig = (WSSConfig) soapMessage.getContextualProperty(WSSConfig.class.getName());
        if (wSSConfig != null) {
            securityEngine = new WSSecurityEngine();
            securityEngine.setWssConfig(wSSConfig);
        } else {
            securityEngine = getSecurityEngine(contextualBoolean);
            if (securityEngine == null) {
                securityEngine = new WSSecurityEngine();
            }
            wSSConfig = securityEngine.getWssConfig();
        }
        cXFRequestData.setWssConfig(wSSConfig);
        SOAPMessage sOAPMessage = getSOAPMessage(soapMessage);
        boolean isLoggable = LOG.isLoggable(Level.FINE);
        boolean isLoggable2 = TIME_LOG.isLoggable(Level.FINE);
        SoapVersion version = soapMessage.getVersion();
        if (isLoggable) {
            LOG.fine("WSS4JInInterceptor: enter handleMessage()");
        }
        long j = 0;
        long j2 = 0;
        long j3 = 0;
        if (isLoggable2) {
            j = System.currentTimeMillis();
        }
        try {
            try {
                try {
                    cXFRequestData.setMsgContext(soapMessage);
                    computeAction(soapMessage, cXFRequestData);
                    ArrayList arrayList = new ArrayList();
                    int decodeAction = WSSecurityUtil.decodeAction(getAction(soapMessage, version), arrayList);
                    String str = (String) getOption("actor");
                    cXFRequestData.setCallbackHandler(getCallback(cXFRequestData, decodeAction, contextualBoolean));
                    if (((String) getOption(WSHandlerConstants.PASSWORD_TYPE_STRICT)) == null) {
                        setProperty(WSHandlerConstants.PASSWORD_TYPE_STRICT, "true");
                    }
                    doReceiverAction(decodeAction, cXFRequestData);
                    if (isLoggable2) {
                        j2 = System.currentTimeMillis();
                    }
                    List<WSSecurityEngineResult> processSecurityHeader = securityEngine.processSecurityHeader(WSSecurityUtil.getSecurityHeader(sOAPMessage.getSOAPPart(), str), cXFRequestData);
                    if (isLoggable2) {
                        j3 = System.currentTimeMillis();
                    }
                    if (processSecurityHeader == null || processSecurityHeader.isEmpty()) {
                        ArrayList arrayList2 = new ArrayList();
                        if (sOAPMessage.getSOAPPart().getEnvelope().getBody().hasFault()) {
                            LOG.warning("Request does not contain Security header, but it's a fault.");
                            doResults(soapMessage, str, sOAPMessage.getSOAPHeader(), sOAPMessage.getSOAPBody(), arrayList2);
                        } else {
                            checkActions(soapMessage, cXFRequestData, arrayList2, arrayList);
                            doResults(soapMessage, str, sOAPMessage.getSOAPHeader(), sOAPMessage.getSOAPBody(), arrayList2);
                        }
                    } else {
                        if (cXFRequestData.getWssConfig().isEnableSignatureConfirmation()) {
                            checkSignatureConfirmation(cXFRequestData, processSecurityHeader);
                        }
                        storeSignature(soapMessage, cXFRequestData, processSecurityHeader);
                        storeTimestamp(soapMessage, cXFRequestData, processSecurityHeader);
                        checkActions(soapMessage, cXFRequestData, processSecurityHeader, arrayList);
                        doResults(soapMessage, str, sOAPMessage.getSOAPHeader(), sOAPMessage.getSOAPBody(), processSecurityHeader, contextualBoolean);
                    }
                    advanceBody(soapMessage, sOAPMessage.getSOAPBody());
                    SAAJInInterceptor.replaceHeaders(sOAPMessage, soapMessage);
                    if (isLoggable2) {
                        long currentTimeMillis = System.currentTimeMillis();
                        TIME_LOG.fine("Receive request: total= " + (currentTimeMillis - j) + " request preparation= " + (j2 - j) + " request processing= " + (j3 - j2) + " header, cert verify, timestamp= " + (currentTimeMillis - j3) + IOUtils.LINE_SEPARATOR_UNIX);
                    }
                    if (isLoggable) {
                        LOG.fine("WSS4JInInterceptor: exit handleMessage()");
                    }
                } catch (SOAPException e) {
                    throw new SoapFault(new org.apache.cxf.common.i18n.Message("SAAJ_EX", LOG, new Object[0]), (Throwable) e, version.getSender());
                }
            } catch (WSSecurityException e2) {
                LOG.log(Level.WARNING, "", (Throwable) e2);
                throw createSoapFault(version, e2);
            } catch (XMLStreamException e3) {
                throw new SoapFault(new org.apache.cxf.common.i18n.Message("STAX_EX", LOG, new Object[0]), (Throwable) e3, version.getSender());
            }
        } finally {
            cXFRequestData.clear();
        }
    }

    private void checkActions(SoapMessage soapMessage, RequestData requestData, List<WSSecurityEngineResult> list, List<Integer> list2) throws WSSecurityException {
        if (this.ignoreActions || checkReceiverResultsAnyOrder(list, list2)) {
            return;
        }
        LOG.warning("Security processing failed (actions mismatch)");
        throw new WSSecurityException(3);
    }

    private void storeSignature(SoapMessage soapMessage, RequestData requestData, List<WSSecurityEngineResult> list) throws WSSecurityException {
        List<WSSecurityEngineResult> fetchAllActionResults = WSSecurityUtil.fetchAllActionResults(list, 2, new ArrayList());
        if (fetchAllActionResults.isEmpty()) {
            return;
        }
        soapMessage.put(SIGNATURE_RESULT, (Object) fetchAllActionResults.get(fetchAllActionResults.size() - 1));
    }

    private void storeTimestamp(SoapMessage soapMessage, RequestData requestData, List<WSSecurityEngineResult> list) throws WSSecurityException {
        List<WSSecurityEngineResult> fetchAllActionResults = WSSecurityUtil.fetchAllActionResults(list, 32, new ArrayList());
        if (fetchAllActionResults.isEmpty()) {
            return;
        }
        soapMessage.put(TIMESTAMP_RESULT, (Object) fetchAllActionResults.get(fetchAllActionResults.size() - 1));
    }

    protected void computeAction(SoapMessage soapMessage, RequestData requestData) {
    }

    protected void doResults(SoapMessage soapMessage, String str, Element element, Element element2, List<WSSecurityEngineResult> list) throws SOAPException, XMLStreamException, WSSecurityException {
        doResults(soapMessage, str, element, element2, list, false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void doResults(SoapMessage soapMessage, String str, Element element, Element element2, List<WSSecurityEngineResult> list, boolean z) throws SOAPException, XMLStreamException, WSSecurityException {
        List cast = CastUtils.cast((List<?>) soapMessage.get(WSHandlerConstants.RECV_RESULTS));
        if (cast == null) {
            cast = new ArrayList();
            soapMessage.put(WSHandlerConstants.RECV_RESULTS, (Object) cast);
        }
        cast.add(0, new WSHandlerResult(str, list));
        Iterator<WSSecurityEngineResult> it = list.iterator();
        while (it.hasNext()) {
            Principal principal = (Principal) it.next().get(WSSecurityEngineResult.TAG_PRINCIPAL);
            if (principal != null && isSecurityContextPrincipal(principal, list)) {
                soapMessage.put(PRINCIPAL_RESULT, (Object) principal);
                if (!z) {
                    WSS4JTokenConverter.convertToken(soapMessage, principal);
                }
                soapMessage.put((Class<Class>) SecurityContext.class, (Class) createSecurityContext(principal));
            }
        }
    }

    protected boolean isSecurityContextPrincipal(Principal principal, List<WSSecurityEngineResult> list) {
        return !((principal instanceof WSDerivedKeyTokenPrincipal) || (principal instanceof CustomTokenPrincipal)) || list.size() <= 1;
    }

    protected void advanceBody(SoapMessage soapMessage, Node node) throws SOAPException, XMLStreamException, WSSecurityException {
        XMLStreamReader createXMLStreamReader = StaxUtils.createXMLStreamReader(new DOMSource(node));
        int next = createXMLStreamReader.next();
        for (int i = 0; createXMLStreamReader.hasNext() && i < 1 && (next != 2 || next != 1); i++) {
            createXMLStreamReader.next();
        }
        soapMessage.setContent(XMLStreamReader.class, createXMLStreamReader);
    }

    protected SecurityContext createSecurityContext(final Principal principal) {
        return new SecurityContext() { // from class: org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.1
            @Override // org.apache.cxf.security.SecurityContext
            public Principal getUserPrincipal() {
                return principal;
            }

            @Override // org.apache.cxf.security.SecurityContext
            public boolean isUserInRole(String str) {
                return false;
            }
        };
    }

    private String getAction(SoapMessage soapMessage, SoapVersion soapVersion) {
        String str = (String) getOption("action");
        if (str == null) {
            str = (String) soapMessage.get("action");
        }
        if (str != null) {
            return str;
        }
        LOG.warning("No security action was defined!");
        throw new SoapFault("No security action was defined!", soapVersion.getReceiver());
    }

    protected CallbackHandler getCallback(RequestData requestData, int i, boolean z) throws WSSecurityException {
        if (z || ((i & 1) == 0 && (i & 8192) == 0)) {
            return getCallback(requestData, i);
        }
        CallbackHandler callbackHandler = null;
        try {
            callbackHandler = getCallback(requestData, i);
        } catch (Exception e) {
        }
        return new DelegatingCallbackHandler(callbackHandler);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v29, types: [java.lang.Object] */
    /* JADX WARN: Type inference failed for: r10v1 */
    protected CallbackHandler getCallback(RequestData requestData, int i) throws WSSecurityException {
        TokenStore tokenStore;
        TokenStore tokenStore2;
        CallbackHandler callbackHandler = null;
        if ((i & 5) != 0) {
            ?? contextualProperty = ((SoapMessage) requestData.getMsgContext()).getContextualProperty(SecurityConstants.CALLBACK_HANDLER);
            boolean z = contextualProperty instanceof String;
            CallbackHandler newInstance = contextualProperty;
            if (z) {
                try {
                    newInstance = ClassLoaderUtils.loadClass((String) contextualProperty, getClass()).newInstance();
                } catch (Exception e) {
                    throw new WSSecurityException(e.getMessage(), e);
                }
            }
            if (newInstance instanceof CallbackHandler) {
                callbackHandler = newInstance;
            }
            if (callbackHandler == null) {
                try {
                    callbackHandler = getPasswordCallbackHandler(requestData);
                } catch (WSSecurityException e2) {
                    Endpoint endpoint = (Endpoint) ((SoapMessage) requestData.getMsgContext()).getExchange().get(Endpoint.class);
                    if (endpoint == null || endpoint.getEndpointInfo() == null || (tokenStore2 = (TokenStore) endpoint.getEndpointInfo().getProperty(TokenStore.class.getName())) == null) {
                        throw e2;
                    }
                    return new TokenStoreCallbackHandler(null, tokenStore2);
                }
            }
        }
        Endpoint endpoint2 = (Endpoint) ((SoapMessage) requestData.getMsgContext()).getExchange().get(Endpoint.class);
        return (endpoint2 == null || endpoint2.getEndpointInfo() == null || (tokenStore = (TokenStore) endpoint2.getEndpointInfo().getProperty(TokenStore.class.getName())) == null) ? callbackHandler : new TokenStoreCallbackHandler(callbackHandler, tokenStore);
    }

    protected WSSecurityEngine getSecurityEngine(boolean z) {
        if (this.secEngineOverride != null) {
            return this.secEngineOverride;
        }
        if (z) {
            return null;
        }
        HashMap hashMap = new HashMap(1);
        hashMap.put(WSSecurityEngine.USERNAME_TOKEN, new NoOpValidator());
        return createSecurityEngine(hashMap);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static WSSecurityEngine createSecurityEngine(Map<QName, Object> map) {
        if (!$assertionsDisabled && map == null) {
            throw new AssertionError();
        }
        WSSConfig newInstance = WSSConfig.getNewInstance();
        for (Map.Entry<QName, Object> entry : map.entrySet()) {
            QName key = entry.getKey();
            Object value = entry.getValue();
            if (value instanceof Class) {
                newInstance.setProcessor(key, (Class<?>) value);
            } else if (value instanceof Processor) {
                newInstance.setProcessor(key, (Processor) value);
            } else if (value instanceof Validator) {
                newInstance.setValidator(key, (Validator) value);
            } else if (value == null) {
                newInstance.setProcessor(key, (Class<?>) null);
            }
        }
        WSSecurityEngine wSSecurityEngine = new WSSecurityEngine();
        wSSecurityEngine.setWssConfig(newInstance);
        return wSSecurityEngine;
    }

    private SoapFault createSoapFault(SoapVersion soapVersion, WSSecurityException wSSecurityException) {
        SoapFault soapFault;
        QName faultCode = wSSecurityException.getFaultCode();
        if (soapVersion.getVersion() != 1.1d || faultCode == null) {
            soapFault = new SoapFault(wSSecurityException.getMessage(), wSSecurityException, soapVersion.getSender());
            if (soapVersion.getVersion() != 1.1d && faultCode != null) {
                soapFault.setSubCode(faultCode);
            }
        } else {
            soapFault = new SoapFault(wSSecurityException.getMessage(), wSSecurityException, faultCode);
        }
        return soapFault;
    }

    static {
        $assertionsDisabled = !WSS4JInInterceptor.class.desiredAssertionStatus();
        SECURITY_PROCESSED = WSS4JInInterceptor.class.getName() + ".DONE";
        LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class);
        TIME_LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class, null, WSS4JInInterceptor.class.getName() + "-Time");
    }
}
